From: owner-openssl-us...@openssl.org [mailto:owner-openssl-
us...@openssl.org] On Behalf Of mswarna
Sent: Friday, 31 January, 2014 08:43
We would like to go for windows app certification/Microsoft client logo
certification. One of the requirements for this is running a tool called
Application Verifier that comes along with the certification kit. When the
application is ran under this tool with luaPriv(UAC) related tests, 2 errors
related to UAC were thrown. This basically tests when the user runs
application with LUA priviliges(as standard user).
I've removed the stack trace because it's misleading (for reasons unclear to
me). As you note below, the Windows API NetStatisticsGet is not called from
EVP_EncodeBlock, as the trace claims, but from RAND_poll in rand_win.c.
After going through the openssl code, root cause maybe use of LanmanServer
and LanmanWorkstation services in netstatisticsget call as since windows
vista they have UAC concept coming in.
More precisely, NetStatisticsGet is now reserved to administrative users. An
application running under UAC with asInvoker will not have administrative
privileges, and consequently cannot successfully invoke NetStatisticsGet.
I think the correct fix for this is to skip the two calls to NetStatisticsGet
in RAND_poll if the calling thread does not have the Administrators SID in its
token. There's sample code in the MSDN documentation for the
CheckTokenMembership API showing how to make that test.
RAND_poll treats the output of the two NetStatisticsGet calls as contributing
62 bytes of entropy to the pool, but since the calls fail for
non-administrative users anyway, they're already not getting that entropy. (And
the existing code does check for failure.)
Since RAND_poll doesn't depend on NetStatisticsGet succeeding, I believe the
only consequence of this issue is the complaint from Application Verifier. So
it may not be a high priority for OpenSSL developers. Therefore, you may want
to implement the check yourself, or simply remove the calls to NetStatisticsGet
in your own OpenSSL build.
--
Michael Wojcik
Technology Specialist, Micro Focus
This message has been scanned for malware by Websense. www.websense.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org